This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 1.1+

Checking Password Strength

Many computer systems require that a password is provided before permitting access to sensitive data. As some passwords are easy to crack using brute force techniques, it is common to give the user feedback to show the strength of their selected password.

GeneratePasswordScore Method

The first method that we will create in the PasswordStrengthChecker class generates the score for a password using the previously described rules. The method, named GeneratePasswordScore, includes a single parameter that accepts the password. The signature of the method is therefore:

public int GeneratePasswordScore(string password)

The first action of the method is to check that a non-null password has been provided. If the password is null, a zero score for the password is returned immediately. If the password is not null, the five scores, based upon the length of the password and the different types of character, are calculated individually before being summed and returned.

To complete the method, add the following code to its code block.

if (password == null) return 0;
int lengthScore = GetLengthScore(password);
int lowerScore = GetLowerScore(password);
int upperScore = GetUpperScore(password);
int digitScore = GetDigitScore(password);
int symbolScore = GetSymbolScore(password);
return lengthScore + lowerScore + upperScore + digitScore + symbolScore;

We now need to create the five private methods that calculate the individual scores. The first of these generates a score based upon the length of the password, allocating six points for every character. The Math.Min method is used to ensure that points are only given for the first ten characters. Further characters would increase the strength of the password but this limit is useful for ensuring that the overall password score is one hundred or less. The result of the Min operation is multiplied by six and returned.

private int GetLengthScore(string password)
    return Math.Min(10, password.Length) * 6;

The next part of the score is based upon the number of lower case letters that are present within the password. This will be zero if there are no lower case letters, five points if there is a single lower case letter and ten points otherwise. To determine the number of lower case letters we can use the Regex.Replace method with a regular expression that replaces all characters in the range "a-z" with empty strings. This reduces the password's length by the number of matching letters. We can then subtract the new length from the original and multiply by five to obtain the score. Again, the Math.Min method is used so that a maximum of two characters is included in the calculation.

As we are using the Regex class, add the following using directive to the code to simplify access to the System.Text.RegularExpressions namespace:

using System.Text.RegularExpressions;

Now add the GetLowerScore method.

private int GetLowerScore(string password)
    int rawScore = password.Length - Regex.Replace(password, "[a-z]", "").Length;
    return Math.Min(2, rawScore) * 5;

The remaining three score calculation methods follow the same pattern as the previous one. In each case a regular expression is used to remove the characters that are being counted and a score is calculated using Math.Min and multiplication. For the symbol score the lower case and upper case letters and the numeric digits are all removed by the regular expression.

private int GetUpperScore(string password)
    int rawScore = password.Length - Regex.Replace(password, "[A-Z]", "").Length;
    return Math.Min(2, rawScore) * 5;

private int GetDigitScore(string password)
    int rawScore = password.Length - Regex.Replace(password, "[0-9]", "").Length;
    return Math.Min(2, rawScore) * 5;

private int GetSymbolScore(string password)
    int rawScore = Regex.Replace(password, "[a-zA-Z0-9]", "").Length;
    return Math.Min(2, rawScore) * 5;

Password Strengths

The next step is to convert the numeric score to one of a set of values that is more appropriate for the software's users. The five possible password strengths, ranging from Unacceptable to Secure, are defined in an enumeration:

public enum PasswordStrength

Obtaining the Password Strength Value

We can now add the GetPasswordStrength method that obtains the strength of the password as a PasswordStrength constant. The method begins by calling the GeneratePasswordScore method. It then compares the score to the limits of each numeric range using a series of if conditions.

Add the following method to the PasswordStrengthChecker class:

public PasswordStrength GetPasswordStrength(string password)
    int score = GeneratePasswordScore(password);

    if (score < 50)
        return PasswordStrength.Unacceptable;
    else if (score < 60)
        return PasswordStrength.Weak;
    else if (score < 80)
        return PasswordStrength.Ok;
    else if (score < 100)
        return PasswordStrength.Strong;
        return PasswordStrength.Secure;
19 September 2011